Ah, that sounds like it's missing some lines and the linksys can detect that and fall back to 100M, which only needs two pairs. If that is the case then setting 100M fixed at both em0 and the Cisco switch should also link. If that does work then you are losing some connections somewhere. If not the cable then it could be in the port perhaps?

Steve

I have a new, clean install of 2.6.0 CE that is doing the same thing as the OP described.

I'm running this box in a VMWare environment. Initial install went normal, with no issues. The issue started when I went into System->Advanced and tried to tell the webConfigurator to use HTTPS. I'm using the default self-signed certificate. The WebGUI redirect box is unchecked (default) and the Anti-lockout is enabled (default). As soon as I click the Save button it breaks the webConfigurator. Every browser gives the message "This browser must support cookies". I have also tried multiple browsers from multiple machines with different OS's. The only way to regain access is to use the console and re-enter the LAN static IP. During that process it asks if the webConfigurator should be reset, choose Y and it resets back to HTTP access only and access is regained.

Has anyone found why this is happening?

@johnpoz said in Allow access without NAT IP?:

@lewis just create an alias and put in the fqdn.. Then use that alias as your source.

I just noticed I do have an FQDN alias, for the voip provider.
That's great, that will work.

Thanks so much. I just love pfsense. I recommend it to anyone I come across that talks about needing a firewall. It's amazing.

The swap slice is also used for crash reports, but that would be a lot of crash reports!

It show like that if the RAM has ever been exhausted. Check the monitoring graphs for hiostorical RAM usage.

Steve

@bearhntr said in pfSense with CloudFlare (and WireGuard - soon) - setup AD DS:

@bmeeks

I think I may have it all working. pfSense has the DOMAIN overrides in place for the ipv4 and v6 addresses.

There are no DNS severs in pfSense GENERAL setup area.

There are no FORWARDERS in AD DNS. All root hints (v4 and v6) are populated and resolve. Some of my devices are picking up IPv6 addresses on reboot.

Still not getting things added to DNS for DHCP reservations...but I am gonna watch it and see how it goes as they start expiring.

NSLookup is now showing IPv6 address for DNS/DC - but not the IPv4 (on the AD DS server).

e1fa74f3-1c6b-40c7-a5e0-1b265833a2aa-image.png

AGAIN - Much appreciate for the help. I will update as I learn more.

Glad it is working better. Windows prefers IPv6 when available, so no surprise about how the IP addresses are showing up.

As for DNS registration of local hosts, that is highly dependent on the dhcp client app on the local host. Things like Windows and most Linux desktops will either by default supply a desired hostname when requesting a DHCP address, or they can be configured to do so. Some Linux operating systems don't do that by default, but can easily be configured to supply a desired hostname with the DHCP request.

IoT devices are a toss up, though. Some may, but I suspect most won't, supply a desired hostname when requesting an address via DHCP. For those devices, you either need to do static IP assignments via MAC reservations in DHCP and manually provide static DNS names, or just forgo that feature for some devices.

IPv6 can also be a hinderance here because devices can and will have multiple IPv6 addresses by default (privacy extensions, for example). All of those may not get DNS registration. That's one of my beefs with IPv6 -- it seems referring to devices by a hostname was not fully thought through when it comes to all the multiple IPv6 addresses a client might have.

In the BandwidthD settings there are two checkboxes that as I recall default to unchecked:

Output to CDF Log data to CDF files log*.cdf
Recover CDF Read back the CDF files on startup.

Checking those saves data across a router restart but not a pfSense upgrade, I'm guessing because the package is reinstalled (?). So uninstall/reinstall should do the trick.

If you disable the debugger like that my understanding is that you will get no backtrace or crashreport of any kind so solving issues becomes far more difficult.

Watchdogd is used so it does have some software watchdog capability.

Steve

@stephenw10 Yeah will just re-new the certs on a fresh install, seem if that helps with some of the problems I am facing.

@stephenw10 It looked like it had some sort of corruption of it's hard drive and it was not able to boot, while connected through the serial and rebooting the system we were able to see this issue.

Contacting with Netgate support we were able to restore pfSense so this ticket can now be closed.
Thanks.

Sorry , I was busy these days
I will do it
Thank you Steve

It sounds like one of two things:

An MTU issue. Check everything is using 1500, at least internally.

An IPv6 problem. pfSense will try to use IPv6 by default and if it has any IPv6 connectivity it will hand out v6 IPs to clients. Most clients will then try to use that by default in preference to v4 and if there isn't actually full connectivity the browsing experince goes to crap as they have to timeout before trying v4. Disable DHCPv6/RA in pfSense if you're not using it.

Also see: https://docs.netgate.com/pfsense/en/latest/troubleshooting/website-access-issues.html

Steve

You can put whatever loader values you want in there but you shouldn't need to add anything.

Steve

Hmm, well that's pretty vanilla hardware. Do you have WAN just using one of the em ports dircetly? No bridges or laggs configured?

Have you tested using the fxp port as WAN?

Steve

@rcoleman-netgate said in Netgate SG-1100 router - How do I login?:

connect to the console

Thanks this is very helpful...

I will try your link.

@upper-deck If you're finding traffic isn't getting into the queues as expected (Status/Queues) I suggest finding the state for the IP (Diagnostics/States). For example, downloads from a web server are generally an incoming connection to the web server and the download is merely the response.

Thanks everyone for the help. The issue was the email server provider.
I configure with gmail app password and can send to more receipients succesfully.

Sorry, I haven't found out what the problem is, I only have to transfer this function to a device that is not a pfsense gateway.

@jonathanlee

I got it to work only with Virtualbox only, Security Onion was accessible. I set up port forwarding. However I could not access it outside of of the guest machine. Many SSL errors. I have major issues now with Windows 10 running Hyper-V without it being enabled. I also had the blue screen of death. This was the reason for using virtualbox. Security Onion would not work correctly with Hyper-V for me. I also used a NIC mac to clone for data marshalling to test if it would clone my laptops IP and that worked.

This leaves me with questions like is there any container protected NICs security equipped network cards for high security systems like firewalls. My reason for the question is the data marshalling with a clone MAC, and how containers have no visibility with the antivirus on the physical machines. I have also been told during my cyber security classes that scanning for VM and containers are a current issue in the cyber security world. I stated to wonder if software could control a security chip built onto the NIC and take control of all NIC features with the physical host machine's software, and control approved container and virtual software access right on the card. Enough daydreaming for me. . .

If you want to check out more info on this adventure to try to get this to work in a virtual environment here is my aftermath issues, that really point out some current security issues with today's hardware.

More on Containers and Network Card Security Issues:
https://answers.microsoft.com/en-us/protect/forum/all/hyper-v-running-even-after-being-disabled/8d048265-d0d9-465d-b647-9e121ea059bf

VirtualBox Install of Security Onion:
https://docs.securityonion.net/en/2.3/virtualbox.html#:~:text=Click%20the%20icon%2C%20then%20select,%E2%80%9CAdvanced%E2%80%9D%20options%2C%20set%20%E2%80%9C

Port Forward with VirtualBox:
https://www.golinuxcloud.com/configure-nat-port-forwarding-virtualbox-cli/

Hmm, how much older was the previous installation? It might have been installed, and therefore booting, legacy and now the clean install is UEFI and failing.
You could try reinstalling as legacy BIOS.

Steve

Manually forcing reinstall of pfSense-kernel-pfSense-2.6.0.pkg should get you onto the correct kernel after a reboot. But the kernel file you have already looks correct.
Once you do that can you ever be 100% confident of the install?
If reinstalling is very inconvenient then it's probably worth trying first but reinstalling and restoring a config is usually quick and easy.
https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html

Steve